[Python-Dev] Releases for recent security vulnerability (original) (raw)
Jacob Kaplan-Moss jacob at jacobian.org
Sun Apr 17 16:03:51 CEST 2011
- Previous message: [Python-Dev] Releases for recent security vulnerability
- Next message: [Python-Dev] Releases for recent security vulnerability
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sat, Apr 16, 2011 at 9:23 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
On Sat, Apr 16, 2011 at 9:45 PM, Gustavo Narea <me at gustavonarea.net> wrote:
May I suggest that you adopt a policy for handling security issues like Django's? http://docs.djangoproject.com/en/1.3/internals/contributing/#reporting-security-issues When the list of people potentially using the software is "anyone running Linux or Mac OS X and an awful lot of people running Windows or an embedded device", private pre-announcements simply aren't a practical reality. Neither is "stopping all other development" when most of the core development team aren't on the security at python.org list and don't even know a security issue exists until it is announced publicly. Take those two impractical steps out of the process, and what you have is the python.org procedure for dealing with security issues.
Just to fill in a bit of missing detail about our process since the doc doesn't perfectly describe what happens:
Our pre-announce list is really short. It consists of release managers for various distributions that distribute packaged versions of Django -- Ubuntu, RedHat, and the like. Yes it's a bit of bookkeeping, but we feel it's really important to our users: not everyone installs the Django package we put out, so we think it's important to coordinate security releases with downstream distributors so that users get a fixed version of Django regardless of how they're installing Django in the first place.
We don't really halt all development. I don't know why that's in there, except maybe that it pre-dates there being more than a couple-three committers. The point is just that we treat the security issue as our most important issue at the moment and fix it as quickly as possible.
I don't really have a point here as it pertains to python-dev, but I thought it's important to clarify what Django actually does if it's being discussed as a model.
Jacob
- Previous message: [Python-Dev] Releases for recent security vulnerability
- Next message: [Python-Dev] Releases for recent security vulnerability
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]